On Tue, Nov 04, 2014 at 02:39:41PM -0500, Salz, Rich wrote: > Thanks for the detailed feedback! > > > 1. The list of applicable signing keys included in the tarballs and > > elsewhere only lists the fingerprints > > We'll fix that.
I don't think their is anything wrong with fingerprints. However I would like to get rid of the v3 keys. And at least several mentioned in the tarball can be removed and/or replaced I think. > > 4. Some releases are signed with keys not on the list in the previous > > tarball, breaking the chain of trust. > > We had a key-signing ceremony at the recent F2F, so this should be better > addressed now. I think the point is that he would like to see the fingerprint in a previous tarball and not suddenly someone doing an upload with a key not mentioned in it before. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
